32 What are the requirements for a D/C1/C2/B1/B2/B3/A1 system? (Computer Security Evaluation)
Description
This article is from the Computer Security Evaluation FAQ, by Trusted Product Evaluation Program TPEP@dockmaster.ncsc.mil.
32 What are the requirements for a D/C1/C2/B1/B2/B3/A1 system? (Computer Security Evaluation)
The Interpreted Trusted Computer System Evaluation Criteria
(ITCSEC) available in postscript at
<http://www.radium.ncsc.mil/tpep/library/tcsec/ITCSEC.ps>
contains the definitive set of requirements for each TCSEC
class. In Summary:
Class D: Minimal Protection
Class D is reserved for those systems that have been evaluated
but that fail to meet the requirements for a higher evaluation
class.
Class C1: Discretionary Security Protection
The Trusted Computing Base (TCB) of a class C1 system
nominally satisfies the discretionary security requirements by
providing separation of users and data. It incorporates some
form of credible controls capable of enforcing access
limitations on an individual basis, i.e., ostensibly suitable
for allowing users to be able to protect project or private
information and to keep other users from accidentally reading
or destroying their data. The class C1 environment is
expected to be one of cooperating users processing data at the
same level of sensitivity.
Class C2: Controlled Access Protection
Systems in this class enforce a more finely grained
discretionary access control than C1 systems, making users
individually accountable for their actions through login
procedures, auditing of security-relevant events, and resource
isolation.
Class B1: Labeled Security Protection
Class B1 systems require all the features required for class
C2. In addition, an informal statement of the security policy
model, data labeling (e.g., secret or proprietary), and
mandatory access control over named subjects and objects must
be present. The capability must exist for accurately labeling
exported information.
Class B2: Structured Protection
In class B2 systems, the TCB is based on a clearly defined and
documented formal security policy model that requires the
discretionary and mandatory access control enforcement found
in class B1 systems be extended to all subjects and objects in
the automated data processing system. In addition, covert
channels are addressed. The TCB must be carefully structured
into protection-critical and non- protection-critical
elements. The TCB interface is well-defined and the TCB
design and implementation enable it to be subjected to more
thorough testing and more complete review. Authentication
mechanisms are strengthened, trusted facility management is
provided in the form of support for system administrator and
operator functions, and stringent configuration management
controls are imposed. The system is relatively resistant to
penetration.
Class B3: Security Domains
The class B3 TCB must satisfy the reference monitor
requirements that it mediate all accesses of subjects to
objects, be tamperproof, and be small enough to be subjected
to analysis and tests. To this end, the TCB is structured to
exclude code not essential to security policy enforcement,
with significant system engineering during TCB design and
implementation directed toward minimizing its complexity. A
security administrator is supported, audit mechanisms are
expanded to signal security-relevant events, and system
recovery procedures are required. The system is highly
resistant to penetration.
Class A1: Verified Design
Systems in class A1 are functionally equivalent to those in
class B3 in that no additional architectural features or
policy requirements are added. The distinguishing feature of
systems in this class is the analysis derived from formal
design specification and verification techniques and the
resulting high degree of assurance that the TCB is correctly
implemented. This assurance is developmental in nature,
starting with a formal model of the security policy and a
formal top-level specification (FTLS) of the design. An FTLS
is a top level specification of the system written in a
formal mathematical language to allow theorems (showing the
coorespondence of the system specification to its formal
requirements) to be hypothesized and formally proven. In
keeping with the extensive design and development analysis of
the TCB required of systems in class A1, more stringent
configuration management is required and procedures are
established for securely distributing the system to sites. A
system security administrator is supported.
Continue to:
My Books
